ClawHub
Back to skill
v0.1.2

Github Copilot Cli

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:28 AM.

Analysis

This is a coherent instruction-only guide for using GitHub Copilot CLI, with expected caution around sharing code context with Copilot and relying on an undeclared local CLI dependency.

GuidanceBefore installing, confirm you are comfortable using GitHub Copilot CLI on the target repository, use narrow `--path` scopes, avoid secrets or restricted code, verify the official `gh copilot` tooling is installed, and manually review any generated suggestions before applying or merging them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
gh copilot suggest "Add logging when translation fallback is used" --path services/translation

The skill instructs use of local Copilot CLI commands to generate or review code-related suggestions. This is central to the stated purpose and is scoped to paths, but users should still review outputs before applying changes.

User impactCopilot may produce code suggestions that affect a project if the user later applies them.
RecommendationKeep prompts and `--path` scopes narrow, inspect diffs and tests, and do not automatically merge generated changes.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
gh copilot suggest "As a backend engineer, propose a minimal fix for mixed-language carryover" --path src/

The skill depends on the `gh copilot` command, while the provided metadata declares no required binaries and no install spec. This is an under-declared dependency rather than hidden code.

User impactUsers must provide their own GitHub CLI/Copilot installation, so a malicious or unofficial local binary would affect command behavior.
RecommendationInstall GitHub CLI and any Copilot extension from official sources and verify which `gh` binary is on the PATH before use.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
gh copilot explain "What does this service do?" --path src/

The workflow sends or provides local code-path context to GitHub Copilot CLI for analysis. This is expected for the skill, but it can involve private source code or project context.

User impactPrivate repository content or implementation details could be processed by the Copilot service when these commands are run.
RecommendationUse the skill only on repositories and files approved for Copilot use, avoid including secrets, and follow your organization's GitHub Copilot data policy.